Well it’s been an interesting start to the week to say the least. We all woke up Monday to read about a new wireless vulnerability labeled KRACK, or key reinstallation attack.
What it does
At a high level this exploit of the WiFi Protected Access (WPA) and its more secure version WPA2 allows an attacker to reinstall a pairwise transient key, a group key, or an integrity key. This affects both the AP side and the client side, and once a hacker has this information they are able capture traffic then decode the encrypted traffic, so what was once hidden is now easily read. There is also the possibility of the attacker injecting malware by modifying and replaying previous traffic flows.
What you should do
There are two sides of this equation that users will want review and patch in their environments. The first is the wireless infrastructure, consisting of access points (AP) and wireless controllers in enterprise deployments. For small business or home users, this will be a wireless “router” connecting you to your Internet Service Provider. All enterprise manufacturers have addressed this vulnerability, and are posting information about affect products, code upgrades, and timeline for any outstanding fixes. Manufacturers that typically support consumer products are posting information on the vulnerability, and should have information posted on code upgrades as well. It should be noted that some older hardware my not be upgraded or patched by manufacturers, so read the manufacturers’ bulletins closely.
The other side of the equation affected by this vulnerability is the client side, and while an organization may have only a single manufacturer to support on the wireless infrastructure, they may have multiple operating systems and client adapters to support. The KRACK exploit is found in the client supplicant, the portion of the software that connects a wireless client to the wireless network. All of the operating system manufacturers have addressed this vulnerability, and are posting information about affected products, code upgrades, and timeline for any outstanding fixes. Microsoft pushed updates on 10-10-17 to address the exploit, while Apple says the iOS 11.1 beta 3 has the patch. Other manufacturers, like Google’s Android OS, are a little more complicated due to the various device hardware manufacturers, so reach out to each hardware manufacturer for information on the KRACK exploit. There is an exploit possible in the physical wireless adapter hardware, and on some models the wireless protocol can be handed off to the firmware on the adapter itself. So checking with each adapter manufacturer for firmware or software updates is equally important.
Fixing the client side addresses the majority of the KRACK exploits but not all, so taking the approach to fix one without the other is still going to leave vulnerability into the network.
Sifting through the chatter
As I looked at some of the various chat boards over the last few of days, it was interesting to see responses from various organizations to the KRACK exploit. The responses I found most interesting are the organizations that are not going to act immediately as they feel wireless encryption is not the only tool they use to secure the network. These organizations employ an in-depth security approach to protecting the network. They secure from the edge to the core, leveraging different techniques and solutions at each level to inspect, analyze, block, and report on network traffic. This provides for a greater level of protection when new attack vectors like KRACK emerge. They have wireless IPs to look for signatures like null key attacks or Initialization Vector (IV) reuse and honeypot APs- key indicators of an attacker running the KRACK exploit. All of this logging information from each level in the network is sent up to a SIEM where it is aggregated and can trigger event notifications. This allows an IT organization to respond to actionable information by clearing all the chatter out of the environment, and see the next network exploit.
How ePlus can help
ePlus delivers custom cybersecurity programs built upon strong culture and integrated technology that help protect organizations from cyber-attacks like KRACK. Our goal is provide you with the information and tools necessary to be vigilant in the current environment.
If you would like to learn more about the KRACK exploit and how to secure your network using an in-depth security model, or to learn more about security assessments, please reach out to your ePlus account manager or contact us at firstname.lastname@example.org. More information can be found at www.eplus.com/security.